Date: Sat, 19 Jul 2014 16:54:50 -0700 From: Kevin Oberman <rkoberman@gmail.com> To: Mark Felder <feld@freebsd.org> Cc: Mailinglists FreeBSD <freebsd-questions@freebsd.org>, Gleb Smirnoff <glebius@freebsd.org>, Darren Pilgrim <list_freebsd@bluerosetech.com>, Andreas Nilsson <andrnils@gmail.com>, Current FreeBSD <freebsd-current@freebsd.org> Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? Message-ID: <CAN6yY1uP5mpUqEa%2BUyLCnVkTeui5AUHZa5D8%2BE1Nm5t=A3NjPg@mail.gmail.com> In-Reply-To: <8E7D9358-29BA-48F9-9067-1BBA48470673@FreeBSD.org> References: <53C706C9.6090506@com.jkkn.dk> <20140718110645.GN87212@FreeBSD.org> <53C9DAA1.4020006@bluerosetech.com> <CAPS9%2BSt%2B2Q01SNWcP9sMja3hUnFNenUE11S5cHMeueC-9wSn1g@mail.gmail.com> <8E7D9358-29BA-48F9-9067-1BBA48470673@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jul 19, 2014 at 6:50 AM, Mark Felder <feld@freebsd.org> wrote: > > On Jul 19, 2014, at 3:35, Andreas Nilsson <andrnils@gmail.com> wrote: > > > On Sat, Jul 19, 2014 at 4:40 AM, Darren Pilgrim < > > list_freebsd@bluerosetech.com> wrote: > > > >> On 7/18/2014 4:06 AM, Gleb Smirnoff wrote: > >> > >>> K> b) We are a major release away from OpenBSD (5.6 coming soon) - is > >>> K> following OpenBSD's pf the past? - should it be? > >>> > >>> Following OpenBSD on features would be cool, but no bulk imports > >>> would be made again. Bulk imports produce bad quality of port, > >>> and also pf in OpenBSD has no multi thread support. > >>> > >> > >> I would much rather have a slower pf that actually supports modern > >> networking than a faster one I can't use due to showstopper flaws and > >> missing features. > >> > > > > So would I. Not that we use pf, but anyway. > > > >> > >> There is currently no viable firewall module for FreeBSD if you want to > do > >> things like route IPv6. > > > > > > Isn't that possible with ipfw? > > > > Perhaps the pf guys in OpenBSD could be convinced to start openpf and > have > > porting layer as in openzfs. > > > > I do not know ipfw IPv6 limitations, but the Wikipedia article says: > > * IPv6 support (with several limitations) > > > Choice is nice, but I would like to see the project promote one firewall > to users. My coworkers long ago jumped ship from ipfw to pf and I know > regret that decision due to the IPv6 bugs. At this point it's too hard to > migrate all the servers off of pf. > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" > I believe that this is obsolete, at least with 10. It certainly used to be the case in older versions. I suspect the improved ipfw is now in 9.3 and perhaps even 8.4, but I can't swear to it. I do know that the 10.0 version broke several of my firewall rules which would have made back-porting to older versions unacceptable but I believe that this is no longer the case. Some IPv6 specific keywords had been eliminated, but I think that they are all back in place, now. No longer required, but there for compatibility. The last feature I am aware of that lacked ipv6 support was tables. If any more exist, they are subtle and I have not hit hem to this point. -- R. Kevin Oberman, Network Engineer, Retired E-mail: rkoberman@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1uP5mpUqEa%2BUyLCnVkTeui5AUHZa5D8%2BE1Nm5t=A3NjPg>